Link to home
Start Free TrialLog in
Avatar of Sok Dymang
Sok DymangFlag for Cambodia

asked on

Assign permission to Domain user to be able to make change on local computer

I have one window user (Win10) that joined domain, so normally they will have no permission to make any changes on local computer, so i want to give permission on that domain user to be able only install any software on their computer but every strict permission keep as original, how to do that?
Avatar of bbao
bbao
Flag of Australia image
> but every strict permission keep as original,

what do you mean about this? do you actually mean to prevent a domain user from uninstalling existing or pre-installed software on his/her Windows 10 computer?
Avatar of Sok Dymang
Sok Dymang
Flag of Cambodia image

ASKER

i only want him to be able to install something on his computer @bbao
Avatar of bbao
bbao
Flag of Australia image
> want him to be able to install something on his computer

that's by default, if the user is a local admin, not a domain admin.

:)
Avatar of Sok Dymang
Sok Dymang
Flag of Cambodia image

ASKER

That user is a domain user, and i want him to be able to make change on her computer.
Avatar of bbao
bbao
Flag of Australia image
as mentioned above, as long as you keep the user as a LOCAL administrator on top of a common domain user, she can do that.
Avatar of Tiborg Guarana
Tiborg Guarana
Flag of Slovenia image
As gentleman above said this will work, but keep in mind that if you want to install program as local admin, you need to login localy and not in domain.
Avatar of J0rtIT
J0rtIT
Flag of Venezuela, Bolivarian Republic of image
You can change lines 1,2, 12.
And set it as a GPO starter script.
Set it as GPO.
User Configuration/Policies/Windows Settings/Scripts/Logon/Test.vbs


strUser = "test"
strPassword = "Pa$$w0rds"

Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_USE_ENCRYPTION = &H2

Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set objNS = GetObject("WinNT:")
Set objUser = objNS.OpenDSObject("WinNT://<DOMAIN>/" & strUser & ",user", _
    strUser, strPassword, ADS_SECURE_AUTHENTICATION Or ADS_USE_ENCRYPTION)


If Not objGroup.IsMember(objUser.ADsPath) Then
    objGroup.Add(objUser.ADsPath)
 '  Wscript.Echo strUser & " added to local administrators."
End If

Open in new window

Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image
Please don't use the script above as anybody can via that cleartext password and it will make all users that this policy applies to, admins.

You do get applications that can install as a user if the vendors publish it properly, for example, ClickOnce applications
Avatar of masnrock
masnrock
Flag of United States of America image
Pointing right back at the original comment here from bbao, you can make a domain user a local administrator on an individual PC. You just need to establish that right on the machine in question. It does not elevate their permissions elsewhere.
ASKER CERTIFIED SOLUTION
Avatar of Giovanni
Giovanni
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial